Upload
lyquynh
View
219
Download
0
Embed Size (px)
Citation preview
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
HOW TO ENSURE A SUCCESSFUL IAM PROGAM Business-Driven Identity and Access Management From the Cloud
“Most enterprise customers are beginning to realize the value of
identity and access management (IAM) technology as an integral
part of their arsenal of security tools.” - Forbes
INTRODUCTION
Identity and Access Management
projects are among the most visible
IT initiatives that enterprises
undertake, since they involve so
much interaction with line of
business users. Despite their high-
profile nature, many organizations
unfortunately continue to struggle
with their IAM programs, which can add to line-of-business frustration with
IT. Fortunately, by taking a Business-Driven approach to IAM and adopting
the best practices outlined in the four-step approach presented here, you
can put yourself on the pathway to a successful IAM implementation, and
improve line-of-business experience with IT.
Before we examine the four step approach, let’s explain why a business-
driven approach to IAM is so important.
What is Business-Driven Identity and Access Management?
In order to ensure a successful IAM initiative, it’s important to take a
business-driven, rather than an IT-driven approach. Doing so fundamentally
changes the nature of IAM challenges, dramatically improves the overall
success rate, and increases the value realized by most organizations.
Specifically, by taking a business-driven identity and access management
approach, companies can empower business owners
to take responsibility for identity and access decisions, consistently provide
full business context across Identity and Access Management systems,
Presented by:
CloudAccess:
CloudAccess provides comprehensive
security-as-a-service from the
cloud. Our suite of robust and scalable
solutions eliminates the challenges of
deploying enterprise-class security
solutions including costs, risks,
resources, time-to-market, and
administration. By providing such
integral services as SIEM, Identity
Management, Log Management, Single
Sign On, Web SSO, Access
Management, Cloud Access offers cost-
effective, high-performance
solutions controlled and managed from
the cloud that meet compliance
requirements, diverse business needs
and ensure the necessary protection of
IT assets.
www.CloudAccess.com
877-550-2568
CloudAccess, Inc 12121 Wilshire Blvd
Suite 1111 Los Angeles, CA 90025
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
connect to the full set of key applications and data resources, and
significantly lower the total cost of ownership while scaling to modern
enterprise environments.
A business-driven identity and access management solution is one which
enables:
IT to transform a technical problem into a solution that provides
business context
The Business to take accountability and responsibility for making
access decisions and managing the access lifecycle, within controls
and constraints defined by InfoSec
Easy configuration and is expandable to cover the full set of key
applications and data resources
A single unified environment for the entire access and compliance
lifecycle
Next, let’s examine the four steps that will put you on track for a successful
IAM program.
TOP TRENDS FOR IAM:
Compliance/Governance
Enterprise access control
Securely interact with
mobile, cloud apps and
social media
Insider threats/carelessness
Password management
Automate reporting, collect
usage statistics
Authentication/validation
Learn how to achieve this from the
cloud: www.cloudaccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Step 1: Begin With the End in Mind
Over the past decade many organizations have invested in security
administration automation tools, attempting to automate account and
identity-related IT tasks. However, these tools typically fell short of
expectations, and were rarely deployed broadly across the enterprise.
Many organizations experienced long project cycles and high deployment
costs with these traditional IAM tools, and typically ended up with only a
handful of connected systems.
Today’s computing, security, and compliance environments demand that
your governance and identity management systems cover most if not all of
your key applications and data resources, independent of whether they are
on-premise or in the cloud.
And, your IAM initiative should account for current and future areas of
growth – including hosted cloud applications, increased access from mobile
devices, and a trend toward Bring Your Own Device (BYOD).
In the face of all this complexity, it’s important to choose the right solution,
and take a phased approach to IAM, so that your organization can reliably
and regularly deliver value to the business. Over the past several years,
we’ve seen our customers be more successful, and more rapidly deliver
business value by taking the following phased approach:
Visibility and Certification: Automated collection, cleansing, and
normalization of fine-grained access rights. For access certifications (also
known as reviews), these must be presented in business-user-friendly
terms, not as complex IT jargon Policy Management: Business context for
improved decision-making and efficient business processes, such as for
Joiners, Movers, and Leavers. And, automated evaluation and workflow-
based enforcement of policies, rules and standards:
THE ISSUES ARE
WIDESPREAD*:
91% of companies have
experienced at least one IT
security event from an
external source.
90% of all cyber crime costs
are those caused by web
attacks, malicious code and
malicious insiders.
Due to complexity, over 70%
of organizations still not
adequately securing critical
systems.
Learn how to prevent this from the
cloud: www.cloudaccess.com
*Statistics collected from various industry sources
including Gartner, Forrester, Ponemon,
Kaspersky, and Echelon
Metrics should be established
that facilitate common ground
for measuring effectiveness of
security measures
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Role Management: Role discovery and creation, which enables business
managers to more easily manage entitlement changes, and better align
entitlements with business functions
Request Management: Simplify and automate with a self-service access
request portal for business users, and an auditable and policy-compliant
change management engine for IT
Access Change Fulfillment: Executing and validating business-driven
changes to identities and access rights. It’s important to use a modern IAM
platform which can rapidly and easily connect to all your key IT systems.
Finally, there are three additional recommendations that are key to putting
your IAM project on a pathway to success:
Know Your IAM Stakeholders:
This is sometimes more challenging than it appears. Are your biggest
benefactors at the Chief Officer level, or departmental leaders?
Is the IAM project focused on day-to-day operations, cost control, or
security and compliance gap mitigation? Is this the first formal IAM project,
or is this a second (or even third) IAM project undertaken? The point here
is to do your research and understand why this project is important, and to
whom. This will help you build confidence and allies simultaneously.
Build the Right Support:
Building on the ecosystem of stakeholders you’ve identified, take a simple
draft of your plan to each of them (individually if possible), actively solicit
their feedback, and be clear about which elements of it you can, and
cannot incorporate in the initial project phase.
Review and validate the agreed-to project timeline, deliverables, and
scope, so that there are no surprises. It is also imperative to communicate
often, deliberately, and regularly with your ecosystem as the project
progresses.
THE DIFFERENCE
BETWEEN IDENTITY
AND ACCESS
MANAGEMENT:
Identity Management is: the
creation and management
of a user account and
credentialed rights
AUTHENTICATES
Access management is: the
enforcement of the
administered rights in terms
of funneled applications
/data that entity is allowed
to see.
AUTHORIZES
Learn how to integrate these from
the cloud:
www.cloudaccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Play To Win:
The last piece of the puzzle is to make sure that you can articulate your
organization’s current challenges and requirements, and how you’re going
to accomplish this within the current company culture. By doing so, you
can convert skeptics into supporters. Know when to utilize your executive
champions and sponsors as highly visible representatives or spokespeople,
and occasionally as final decision makers to eliminate project barriers. Use
this trump card sparingly, but when necessary. If you’ve built the proper
ecosystem of supports, this should be required very infrequently.
Next, let’s explore Step 2, where you quantity the current problem and
model the benefits your project will deliver..
Step 2: Quantify the Problem
One area where project teams unfortunately don’t often spend quite
enough time is the creation of a robust and credible Business Value
Assessment (BVA), sometimes referred to as a Business Case. We’ve found
that organizations that do make this effort will more frequently be able to
justify, prioritize, and ultimately successfully execute on their IAM
programs. The BVA is important for two reasons.
First, IAM project teams need to obtain an objective view of the effort and
costs that their current IAM program imposes on the organization. While
project teams typically have an implicit understanding of which areas are
hard for their direct team, it’s often not until they see the full picture,
supported by hard numbers, that they can get a sense for how much of a
burden IAM programs impose on the organization as a whole.
Second, oftentimes there are multiple IT or InfoSec projects competing for
the same set of human or financial resources. As always, organizations
have limited resources, and must choose among multiple projects, all of
which will deliver some benefit.
We’ve found that having a solid business case in place significantly
increases the likelihood that a project will be funded and staffed. It shows
focus and discipline, and demonstrates that project leaders understand the
connection between IT projects and business value.
GAINING GROUND
91% of SMBs using the cloud
said their cloud provider
made it easier for them to
satisfy compliance
requirements…this is in stark
contrast to the 39% of on-
premise users who said
compliance requirements
barred them from using
cloud applications.
62% of cloud-adopters said
their levels of privacy
protection increased.
73% said they were more
confident in the integrity of
their data using the cloud
service.
From Microsoft via Security Week
Discover reliability from the cloud:
www.cloudaccess.com
*Statistics collected from various industry sources
including Gartner, Forrester, Ponemon,
Kaspersky, and Echelon
Metrics should be established
that facilitate common ground
for measuring effectiveness of
security measures
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Who Should Perform the BVA?
While some organizations may choose to perform a business value
assessment internally, we recommend that IAM teams rely on an
experienced partner – in particular, working with the vendor that provides
the associated IAM software solution. You should choose a software
provider that’s eager to assist, and willing to put in the time and effort at
no cost to you. By doing so, you can leverage their experience performing
similar BVA’s at other organizations like yours. This pays dividends in two
ways. First, by following their well-understood approach to building the
BVA, you’ll be able to accomplish this more efficiently and more
comprehensively than if you tackle it alone. Second, because in most cases
it’s not feasible to get complete data on how your organization spends its
time and effort, the vendor will be able to provide guidance on how peer
organizations operate, to help build a complete model.
How does it work?
The assessment should be focused on obtaining an understanding of
specifically how your organization is currently performing identity
management and access governance activities, and quantifying the effort.
The goal is to create a jointly crafted model of your organization’s identity
management processes, and the effort required to sustain those processes.
This will provide a clear picture of the current cost and burden that your
organization is shouldering, and will help you clearly understand the gap
between current and desired states. Frequently, this model will cover not
just the organization’s current state, but extrapolate to cover where the
organization knows it must be in the next 12-18 months.
Who should be involved?
In order for the session to be as effective as possible, think about (and
invite) people in your organization who are directly involved in identity
management activities. This may include people in Information Security, IT,
Corporate Risk & Compliance, and of course, line of business managers.
6 REQUIREMENTS FOR
EFFECTIVE FRAUD
PREVENTION:
Layered Security
Real-time, intelligence-based
risk assessment
Rapid adaptation against
evolving threats
Transaction Anomaly
Prevention
Minimize end user impact
Minimizing deployment,
management and
operational costs
Learn how to achieve this from the
cloud: www.cloudaccess.com
Metrics should be established
that facilitate common ground
for measuring effectiveness of
security measures
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
The Results
The workshop results in a mutually agreed-upon model of costs, and a
defensible set of benefits that are projected to result from the IAM project.
What we mean by “defensible” is a set of data built from actual current
costs, processes, and effectiveness within your organization. (Note that this
data is also extremely useful for choosing key performance indicators and
critical success factors for the actual project).
At its essence, the model is very simple. It captures which activities are
performed, how frequently they’re performed, how long it takes to
perform them each time, and how many people perform them.
These activities are shown in their current state, and compared with the to-
be state, once the IAM program is in place. The model also highlights any
current gaps, showing the quantitative and qualitative benefits of closing
them. Finally, the efforts for these activities are combined with the
organization’s fully-burdened hourly costs, to establish cost and effort
models for the different scenarios.
With a completed business value assessment, you’ll have a solid, quantified
basis for justifying your IAM project, built on defensible and credible
numbers about the current effort your organization is expending. And,
you’ll have a detailed understanding of which IAM elements are highest
priority for you – setting you up for a focused and successful evaluation of
potential vendor solutions.
This takes us to Step 3, where you validate candidate solutions.
Step 3: Validate the Solution
Successful IAM teams recognize the importance of validating the
capabilities of the products under consideration, by executing a Proof-of-
Value (POV). This is necessary for three reasons – first, to ensure that each
vendor’s claims are true, and that their solution is capable of meeting your
requirements in your environment. Second, to confirm that the cost and
effort savings projected in the Business Value Assessment are in fact
reasonable and achievable in your environment. Third, and perhaps most
STANDARD IDaaS
FEATURES:
Provisioning/deprovisioning
(add/delete user accounts)
Password management
Role-based identity
groups/individuals for access
Automatic Directory (Active,
LDAP, etc…) propagation (using
data on these infrastructure
databases to populate/control
IDM)
User self-service
Multi-lateral password
synchronization
Access recertification
Request management
Business process/rules mapping
Federated connectors to secure
applications
Comprehensive audits, reports
for compliance
Graphical integrated approval
workflow
Learn how to achieve this from the
cloud: www.cloudaccess.com
Metrics should be established
that facilitate common ground
for measuring effectiveness of
security measures
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
importantly, it’s necessary for your team to get an unvarnished view of the
time, effort, and skills required to deploy each vendor’s solution. Leading
analyst firms recognize that for typical IAM projects, organizations often
spent 3 to 4 times more on implementation services than on software
licenses! It’s critical that you gain confidence that your team will be able to
quickly and reliably implement the solution, avoiding the extensive and
expensive consulting resources required by traditional approaches to IAM.
Sadly, a trend has developed in recent years to purchase software without
actually validating it, perhaps due to short project timeframes,
organizational pressures, or resource scheduling difficulties. However, in
most cases this dramatically raises the risk of unexpected downstream
costs, significantly higher effort, and project failure.
The good news for those teams following this process is that the scenarios
to be validated will have already been documented and agreed to during
the creation of the Business Value Assessment, setting you up for a focused
and effective POV. One final recommendation: Make sure that you use
very specific language to describe the use cases to be validated, so that
each vendor interprets the requirements identically. Note that often, you
can ask your solution vendor to help, by providing a template with the key
use cases defined for you.
Proof-of-Value Guidelines:
A Proof of Value is a limited-time evaluation of a vendor’s solution,
structured with the intent of evaluating how well this solution
meets your required set of technical functionality, scalability, and
performance characteristics.
A POV is best defined as “proving the solution capabilities”, in your
environment with your data
In general, there are a few basic rules to ensure a successful POV:
The POV must have a clearly defined start and end date, and
ideally be completed within 5 days
Vendors must not charge you a fee to perform the POV
STANDARD SSO
FEATURES:
Access for both SaaS and Web
applications/platforms
Authentication by and Access
control by IP address
Integration with AD, LDAP, SQL,
etc.
Dynamic Portal grouping users
permitted applications
User self-service for password
reset
2 factor authentication for
BYOD
Authentication chaining
Whitelist, blacklisting of
allowed/disallowed sites/apps
Risk adaptation (traveling IP’s)
Identity gateway enables access
to 1000s of websites, on
premise and legacy applications
Learn how to achieve this from the
cloud: www.cloudaccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
Functionality to be evaluated must be specified and agreed to
beforehand
The POV must be a joint effort between the vendor and your
technical staff, product evaluators, and stakeholders
All vendor efforts must be performed by the onsite team, under
your supervision. Some vendors, in an attempt to hide
implementation complexity, will use remote resources to augment
their on-site POV team
You must get a level of confidence that if purchased, you and your
team will be able to use the vendor product successfully, without
requiring extensive onsite vendor specialists
Finally – use the POV as a highly visible event with your internal
stakeholders – within IT and across the line of business. The POV is a great
opportunity to build strong ties with the software vendor, and to
communicate the effectiveness of your new IAM program across your
organization.
Once you’ve followed these steps and selected a vendor, you’re ready for a
successful IAM project, which takes us to Step 4 – planning to quickly
deliver value to the business.
Step 4: Quickly Deliver Value
In step 1, recall that we recommended that you define a phased approach
to your IAM program, and connect your goals with business value. In step
2, you quantified the value, and in step 3, you validated and selected a
vendor. Now, it’s time to deliver.
Your project definition must take into account not only the technology and
business processes to be addressed, but also your organization’s historical
success rate in acquiring, implementing, and consuming business-facing
technologies. That is, it’s very helpful to have an understanding of how and
why similar projects have recently succeeded or failed at your organization.
PRODUCT OF THE WEEK:
INTEGRATED IAM:
SEE IT HERE
Learn how to achieve this from the
cloud: www.cloudaccess.com
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
As stated earlier, IAM projects are often quite visible (because everyone
has access to some IT resources) and unfortunately sometimes political
(because processes and applications are often owned departmentally). So,
when forming the initial plans for the solution rollout, you must always
take the time to fully understand the needs and perceptions of the users,
sponsors and customers of these technologies.
Based on your best understanding of different requirements, needs, and
expectations across the organization, you can now create a prioritized set
of deliverables, with an emphasis on those that have a high impact (and yet
can be deployed quickly).
This is where the rigorous vendor evaluation process from step 3 pays its
dividends – because you have already validated that the solution can meet
your technical needs, and proven that your team has the skills to
successfully use the solution, you can confidently proceed with the project,
and rapidly deliver business value. That is, go after the “low-hanging fruit”,
and publish these successes loudly and repeatedly. Nothing fosters
confidence like success.
Contrast this with a hypothetical team that took an ill-advised shortcut,
and didn’t perform a proof-of-value. At this point in the project, because
they didn’t get direct experience with the product in question, there are
many unknowns: Will their team have the skills to successfully implement
the product? Will they unexpectedly require outside consultants, adding to
the project cost and duration? Will the product actually meet their
requirements, in their environment? This is a high-risk approach, as
selection of an inappropriate vendor tool is the underlying cause of many
project failures.
Conclusion
By taking a business-driven approach to identity and access management,
and following the four steps outlined here, you’re setting up your team and
your organization for a successful project. By planning out a properly
phased implementation, building a concrete business case, and validating
the vendor solution, you’re primed to deliver value to the business, and
have a solid foundation for the remaining phases of your IAM initiative.
OTHER KEY IAM
RESOURCES:
Secret sauce of user
provisioning
Erasing the Identity Blind
Spot
Identity-as-a-service (IDaaS)
is more important than ever
Mirror Mirror: the difference
between identity and Access
Management
Consolidating the Variables:
Augmenting Existing Identity
Management Systems
Learn more about IAM from the
cloud: www.cloudaccess.com
Metrics should be established
that facilitate common ground
for measuring effectiveness of
security measures
CLOUDACCESS 877-550-2568 www.cloudaccess.com
SECURITY FROM THE CLOUD:
ACHIEVING COMPLIANCE IS EASIER, COST-FRIENDLIER AND MORE COMPREHENSIVE WITH CLOUD ACCESS.
CONTACT US FOR A
LIVE ONLINE DEMONSTRATION
OF INTEGRATED REACT SOLUTIONS DELIVERED AND MANAGED FROM THE CLOUD.
The sky is no longer the limit
with secure, affordable cloud
security solutions from
CloudAccess.
WANT TO LEARN
MORE ABOUT
CLOUD SECURITY?
www.CloudAccess.com
MORE INFORMATION:
CONTACT: 877-550-2568
Read Our Blog: http://www.cloudaccess.com/blog
LIKE Us on Facebook Follow Us On Twitter Join us on LinkedIn